-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. I prepared LTS security update for leptonlib. Please review and upload. You can find debdiff along with the mail. link: https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc I done following tests. - - Installed new build in a wheezy machine - - Tested against POC from https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 - - Ran all regression tests provided in prog/alltests_reg.c - - Ran prog/comparetest.c as it is one of the program which uses `gplot` -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqEAJ4ACgkQhj1N8u2c KO8uBQ//WE7DHX6XPpvmASeAI0clLUBw2zzVn8xM6w2uAqCWKtXeS0wqsDgy4urj JS9ggebmHC+aeY8EqM18Cla/TIFXnSCXCOT5hG4fK68aD2FnZ1TZwtSP5GtxYhVN YD3D3FR9astbhLEReLytLxSwXCbGeaDNI7mSi5rnN5eoFdMVhG2ZaVBvzmcE5kSt 9BBKQqgLJ2MzkPQxi9JiwrL8au1WO3A3t8HtOZKf80UcBECiMOqkjmVEiW2/hA0n bGDb8J5f/QC+6UYIiIkEb2o2CMuEmplOm6G43vm+XZjqWP6XpfFFnHHhKnHDeQrQ Z9IRJ4RnFI2B5+l3vwC6WS6e/j+PsuE3sk1MBLlAGLAF69cspSOBxV4MvBQQFvCB 5YHW02Q/VKvejneSOsm/IIrZCau4JGC9uHCzSLRTa3tMg6HZd6CkI/B4l+IFg1Eo y61hb0sVJT5vgA5eNxv5G+B8fqNQTHNc0kmsef1OyReOA8dEkG1Q2OCayFcW6iQW JOUzHOP3R8pFiF8eLToxrY32KPsYh5S3KIgD4sNbjw5J23sEKY1Dn1uXgnLNL7BG hpJoTdwProANQWBW2iY5cxYyTqP3PSk6fYWx5VPAWNDOg0PnMxO4hCed6mrg0hvH XA1PeoxFEREvCyChxWDZL4Yg9ggB5Evba/qIwcTpNPC0Ma7KS9Q= =fUrC -----END PGP SIGNATURE-----
diff -Nru leptonlib-1.69/debian/changelog leptonlib-1.69/debian/changelog --- leptonlib-1.69/debian/changelog 2012-07-19 21:39:52.000000000 +0000 +++ leptonlib-1.69/debian/changelog 2018-02-13 18:06:39.000000000 +0000 @@ -1,3 +1,11 @@ +leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability + (closes: #889759) + + -- Abhijith PA <abhijith@disroot.org> Tue, 13 Feb 2018 23:36:39 +0530 + leptonlib (1.69-3.1) unstable; urgency=medium * Non-maintainer upload diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch leptonlib-1.69/debian/patches/CVE-2018-3836.patch --- leptonlib-1.69/debian/patches/CVE-2018-3836.patch 1970-01-01 00:00:00.000000000 +0000 +++ leptonlib-1.69/debian/patches/CVE-2018-3836.patch 2018-02-13 18:06:39.000000000 +0000 @@ -0,0 +1,125 @@ +Description: Fix CVE-2018-3836.patch + An exploitable command injection vulnerability exists in the gplotMakeOutput + function of Leptonica. A specially crafted gplot rootname argument can cause a + command injection resulting in arbitrary code execution. + An attacker can provide a malicious path as input to an application that passes + attacker data to this function to trigger this vulnerability. Patch backported from + upstream. + +Author: Abhijith PA <abhijith@disroot.org> +Origin: https://build.opensuse.org/package/view_file/home:kbabioch:branches:openSUSE:Leap:42.3:Update/leptonica/CVE-2018-3836.patch +Bug: https://github.com/DanBloomberg/leptonica/issues/303 +Bug-Debian: https://bugs.debian.org/889759 +Last-Update: 2018-02-13 + +Index: leptonlib-1.69/src/gplot.c +=================================================================== +--- leptonlib-1.69.orig/src/gplot.c ++++ leptonlib-1.69/src/gplot.c +@@ -129,9 +129,10 @@ gplotCreate(const char *rootname, + const char *xlabel, + const char *ylabel) + { +-char *newroot; +-char buf[L_BUF_SIZE]; +-GPLOT *gplot; ++char *newroot; ++char buf[L_BUF_SIZE]; ++l_int32 badchar; ++GPLOT *gplot; + + PROCNAME("gplotCreate"); + +@@ -141,6 +142,9 @@ GPLOT *gplot; + outformat != GPLOT_EPS && outformat != GPLOT_X11 && + outformat != GPLOT_LATEX) + return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL); ++ stringCheckForChars(rootname, "`;&|><\"?*", &badchar); ++ if (badchar) /* danger of command injection */ ++ return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL); + + if ((gplot = (GPLOT *)CALLOC(1, sizeof(GPLOT))) == NULL) + return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL); +@@ -360,18 +364,10 @@ l_int32 ignore; + gplotGenDataFiles(gplot); + + #ifndef _WIN32 +- if (gplot->outformat != GPLOT_X11) +- snprintf(buf, L_BUF_SIZE, "gnuplot %s &", gplot->cmdname); +- else +- snprintf(buf, L_BUF_SIZE, +- "gnuplot -persist -geometry +10+10 %s &", gplot->cmdname); ++ snprintf(buf, L_BUF_SIZE, "gnuplot -persist %s", gplot->cmdname); + #else +- if (gplot->outformat != GPLOT_X11) +- snprintf(buf, L_BUF_SIZE, "wgnuplot %s", gplot->cmdname); +- else +- snprintf(buf, L_BUF_SIZE, +- "wgnuplot -persist %s", gplot->cmdname); +-#endif /* _WIN32 */ ++ snprintf(buf, L_BUF_SIZE, "wgnuplot -persist %s", gplot->cmdname); ++#endif /* _WIN32 */ + ignore = system(buf); + return 0; + } +Index: leptonlib-1.69/src/utils.c +=================================================================== +--- leptonlib-1.69.orig/src/utils.c ++++ leptonlib-1.69/src/utils.c +@@ -50,6 +50,7 @@ + * l_int32 stringSplitOnToken() + * + * Find and replace string and array procs ++ * l_int32 stringCheckForChars() + * char *stringRemoveChars() + * l_int32 stringFindSubstr() + * char *stringReplaceSubstr() +@@ -1138,6 +1139,48 @@ char *saveptr; + * Find and replace procs * + *--------------------------------------------------------------------*/ + /*! ++ * \brief stringCheckForChars() ++ * ++ * \param[in] src input string; can be of zero length ++ * \param[in] chars string of chars to be searched for in %src ++ * \param[out] pfound 1 if any characters are found; 0 otherwise ++ * \return 0 if OK, 1 on error ++ * ++ * <pre> ++ * Notes: ++ * (1) This can be used to sanitize an operation by checking for ++ * special characters that don't belong in a string. ++ * </pre> ++ */ ++l_int32 ++stringCheckForChars(const char *src, ++ const char *chars, ++ l_int32 *pfound) ++{ ++char ch; ++l_int32 i, n; ++ ++ PROCNAME("stringCheckForChars"); ++ ++ if (!pfound) ++ return ERROR_INT("&found not defined", procName, 1); ++ *pfound = FALSE; ++ if (!src || !chars) ++ return ERROR_INT("src and chars not both defined", procName, 1); ++ ++ n = strlen(src); ++ for (i = 0; i < n; i++) { ++ ch = src[i]; ++ if (strchr(chars, ch)) { ++ *pfound = TRUE; ++ break; ++ } ++ } ++ return 0; ++} ++ ++ ++/*! + * stringRemoveChars() + * + * Input: src (input string; can be of zero length) diff -Nru leptonlib-1.69/debian/patches/series leptonlib-1.69/debian/patches/series --- leptonlib-1.69/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ leptonlib-1.69/debian/patches/series 2018-02-13 18:06:39.000000000 +0000 @@ -0,0 +1 @@ +CVE-2018-3836.patch
Attachment:
leptonlib_deb7u1.debdiff.sig
Description: PGP signature